incubator-libcloud mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Chen <je...@apache.org>
Subject Re: [libcloud] SSL Certificate Name Verification
Date Mon, 03 Jan 2011 14:03:13 GMT

On Jan 3, 2011, at 12:54 AM, Paul Querna wrote:

> On Sun, Jan 2, 2011 at 7:29 PM, Jerry Chen <jerry@apache.org> wrote:
>> Hi all,
>> 
>> The latest commit (r1054518) [1] in libcloud 0.4.1-dev has SSL certificate name verification.
>> 
>> The code is based off of Toma┼ż Muraus's excellent contributions, but has a few changes:
>> 
>> 1. Introduces the libcloud.security module:
>>  - VERIFY_SSL_CERT, set to a default of False in this version for backwards compatibility
>>  - CA_CERTS_PATH, a list of search paths for certificate authority files, currently
populated with common paths on *nix platforms
>>    - openssl from yum
>>    - ca-certificates from aptitude, pacman
>>    - curl-ca-bundle from MacPorts
>> 2. Introduces LibcloudHTTPSConnection, a subclass of httplib.HTTPSConnection
>>  - reads libcloud.security.VERIFY_SSL_CERT
>>  - emits warning if VERIFY_SSL_CERT is set to False
>>  - emits warning if cannot find a certificate in CA_CERTS_PATH
>>  - checks both commonName, subjectAltName with wildcard support
>> 3. Removes M2Crypto dependency
>> 
>> OS X support does NOT work out of the box without an external CA cert file, because
root certificates are held in Keychain format [2], rather than the standard PEM format.  That
being said, one of the paths in CA_CERTS_PATH includes the MacPort's curl-ca-bundle.
>> 
>> As always, feedback, bugs and comments are welcomed.
> 
> Thanks to you and Tomaz for figuring this out!
> 
> I don't really like that the default first experience on OS X will
> emit a warning.  I kinda wish we had a better way to handle that
> situation.  I don't know of a better option though, besides bundling a
> CA list, which would suck for many other reasons.

The only alternative I could think of is providing a different deprecation warning, which
would include instructions on exporting root certificates straight from Keychain with `keytool`
to a path like /opt/libcloud/cacert.pem, and then already having this path in the CA_CERTS_PATH
setting.

Unfortunately, I was not able to figure out how to use `keytool` correctly and do this in
bulk.

> My other question was, is the SSL library now required to use
> libcloud?  My understand is that the ssl module was added in Python
> 2.6 -- meaning the minimal version for libcloud is now Python 2.6.

That is a very good point. However it looks like perhaps the cheeseshop ssl package might
be compatible with 2.3+, according to http://pypi.python.org/pypi/ssl/.

> This personally doesn't pose a problem, but could be a pain for older
> RHEL, or even Ubuntu 8.04, which are still only Python 2.4 or 2.5
> (which until this change, my understanding was that libcloud worked on
> thsoe platforms).

I will have to test it out on an older 2.x; either way, the native ssl module or a PyPi package
(if viable) will be necessary for SSL verification.

Cheers,
Jerry

> Thoughts?
> 
> Thanks,
> 
> Paul


Mime
View raw message